rado spake the following on 8/16/2006 3:49 AM: > On Wed, 2006-08-16 at 05:49 -0400, John Hinton wrote: >> I keep seeing 'Joe Average compromised computer on broadband' being used >> to do email dictionary attacks on our systems. Seems I always have >> several domains going through these. One in particular has been in the >> 'a-' list for weeks with about 20,000 attempts per day from various >> systems. Yeah, I do have a system which blocks email from these systems >> for a period of time after 3 bad email address attempts.... throttling... >> >> Anyway, this brought to mind.... Joe Average! Joe Average buys a >> broadband connection, has someone hook up his computer.. talks to tech >> support about everything and eventually, an AV subscription dies or >> something and Joe just doesn't care or doesn't know how to deal with >> that. Meanwhile Joe's computer gets a virus allowing some baddy to start >> sending email. Joe notices his computer is getting a little slow.. but >> it's not bad enough to worry about. >> >> So, this made me start wondering about how to do something that makes >> Joe's computer so slow that he finally gives up and calls in tech >> support to fix the damned thing. >> >> I wonder if there is a way that a firewall rule could be written, that >> would let a trickle of the connection from Joe through, so as his >> dictionary attack gets backed up with a huge number of connections which >> are trickling through at such a slow rate, with maybe just enough delay >> built in to make it keep trying.... Basically making Joe's compromised >> computer useless.. and maybe he'd at least turn it off if it didn't lock >> up all by itself.... >> >> It is so very sad that some providers don't monitor their own people. I >> see where comcast has now slid down to number 8 after holding the number >> one spot as the biggest spammer network for a very long time. Good for >> them! It seems the undisputed king of this world now is >> verizonbusiness.com.... bad bad very bad.... >> >> Sorry.. yeah.. a bit off topic...... >> >> John Hinton Better would be a rule to forward their connection to a honeypot / tarpit box that would do what you want ... tie up their connection for a while. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!!